Java XP Service Pack 2 —

Java 8 being delayed into the first quarter of 2014.

The release of Java 8, originally due in September this year, has been pushed back. The new version's headline feature—Project Lambda, which brings anonymous functions to Java—isn't yet finished.

The reason for this delay is, in part, security. Over the past eight months, a large number of criticalsecurity flaws have been found and patched. This has damaged Java's reputation, with Apple, for example, reacting by removing the Java plugin from its Safari browser.

In response, Mark Reinhold, chief architect of the Java Platform Group at Oracle, has announced a "renewed focus on security" that will tie up engineering efforts. As a result, Java 8 has now been pushed back until the first quarter of 2014.

Reinhold explained that Oracle originally planned to release a feature complete beta of Java 8, Milestone 6, back in January. It failed to do so, however, due to the incompleteness of Project Lambda. Removing Project Lambda might have allowed Oracle to meet its original September release date, but this wasn't felt to be an appealing choice, as Project Lambda is the most important feature of the new version. Without it, there'd be little point releasing Java 8 at all.

The Oracle announcement is reminiscent of Microsoft's push for security that started in the first half of the 2000s. Bitten by multiple security flaws and an increasingly bad security reputation, the company made security a top priority, developing new processes and procedures to ensure that security was baked into product design.

This eventually culminated in the release of Windows XP Service Pack 2, in 2004. This Service Pack contained a raft of security improvements, and some Microsoft insiders claim that it demanded so much development effort that it contributed, in part, to the delays suffered by Windows Vista.

I hope that also means a commitment from their various product teams at Oracle to also support those newer and latest versions of Java. We have at least three of Oracle's largest products in our environment that rely on Java on the desktop and every one of them only supports older versions of Java that we cannot patch because upgrading to a newer version will break functionality in those apps.

It's the Internet Explorer 6 issue all over again there. Since Oracle still doesn't fully support IE9 for E1 or their OBIEE suite, a browser that has been released for over two years, I'm not holding my breath.

With all of the versions of Windows prior to Windows 8, security was an after thought and a joke. If someone is running Windows and claims to be secure, they better be running Windows 8. I don't agree with the UI decisions in Windows 8, but as a long time Linux user, I can finally approve of the direction Microsoft's core Windows code is moving, in terms of security and performance. Windows for ARM was the best opportunity to fix all of Microsoft's problems, but they squandered it with a cut down, feature inhibited version that no one really wants.

Windows security model got its big revamp back in Windows Vista, and with refinements in 7. Win8 has incremental security fixes, of course, but it was no watershed moment for security.

With all of the versions of Windows prior to Windows 8, security was an after thought and a joke.

You are dead wrong. Windows Vista was what truly began Microsoft's full efforts in securing Windows. It introduced integrity levels, UAC permissions, ASLR, etc, etc, etc.

Vista was a lot more secure than XP but UAC was not part of that. It's so easily bypassed it can't really be called a "security feature".

It's absolutely a security feature when used at its highest setting. Especially when combined with a user account. It absolutely restricts what an application can do. Especially with older applications that were never updated to run with correct user rights and like to constantly write to the registry; Windows makes a virtual registry for those shit apps to write to so they can't do any damage to the real one.

Vista was a huge leap forward in security compared to Windows XP and Windows 7 and 8 followed with refinements and enhancements.

Nice 6 year old article. But the fact remains is; UAC at it highest security levels adds tangible benefits to the security of one's system. Without it at its highest level, you don't get the virtual registry benefits.

If Oracle at some point made a default option to automatically install updates, they wouldn't be in this mess now. It's 2013 and you still have to rely on user's clicking the update notification and installing, most won't go to this effort.

Nice 6 year old article. But the fact remains is; UAC at it highest security levels adds tangible benefits to the security of one's system. Without it at its highest level, you don't get the virtual registry benefits.

Nice 6 year old article. But the fact remains is; UAC at it highest security levels adds tangible benefits to the security of one's system. Without it at its highest level, you don't get the virtual registry benefits.

When did Vista come out again?

Irrelevant.

Quote:

"Without it at its highest level, you don't get the virtual registry benefits"

And as I've said several times already, Windows 7 and 8 have brought enhancements and refinements to Windows' security model and that includes UAC.

Vista was the jumping off point. And UAC is still a security feature. Unless you like running every application on your system as Admin.

Nice 6 year old article. But the fact remains is; UAC at it highest security levels adds tangible benefits to the security of one's system. Without it at its highest level, you don't get the virtual registry benefits.

When did Vista come out again?

Irrelevant.

Quote:

"Without it at its highest level, you don't get the virtual registry benefits"

And as I've said several times already, Windows 7 and 8 have brought enhancements and refinements to Windows' security model and that includes UAC.

Vista was the jumping off point. And UAC is still a security feature. Unless you like running every application on your system as Admin.

How is it irrelevant? his article comes from the time period you describe as the jumping off point. It says that that was no jumping off point. And how on earth is the most widely disabled feature of Windows by users to be considered a security feature? If no one uses it, it does nothing. Windows 7 brought refinement, but Windows 8 actually advanced it to a reasonable point... you appear to just be biased against Windows 8 though. Maybe my standard for what constitutes security is just higher than yours. Vista's features don't meet that standard, and the code quality of Vista (with memory leaks galore) made exploits a dime a dozen, regardless of any features and my opinion of them.

Because the boundaries defined by UAC and Protected Mode IE are designed to be porous, they can't really be considered security barriers, he said. "Neither UAC elevations nor Protected Mode IE define new Windows security boundaries," Russinovich wrote. "Because elevations and ILs don’t define a security boundary, potential avenues of attack, regardless of ease or scope, are not security bugs."

He said Microsoft had communicated this in the past, but that the point needed reiterating.

And if you read the rest...

Quote:

"If you aren't guaranteed that your elevated processes aren't susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption," he wrote.

Microsoft's drive is to get users off of administrative accounts and onto those with limited privileges, even if the new arrangement isn't water-tight from a security point of view, Russinovich said.

"The elevation and Protected Mode IE sandboxes might have potential avenues of attack, but they’re better than no sandbox at all," he wrote.

And if you switch the UAC to always notify then it is much more secure (though obviously most users wont do this).

I dunno if Microsoft says UAC isn't a security feature I'm inclined to take them at their word

It's utterly worthless at its default settings. Anything can just auto-elevant itself by attaching to calc.exe or notepad.exe. But switching it to the highest security level is when its benefits come into play. Any setting below that is as worthless as having it completely off.

I don't know whether Microsoft ended up prioritizing security on Windows back then, but it was already a decade later than the focus should have been started.

With all of the versions of Windows prior to Windows 8, security was an after thought and a joke. If someone is running Windows and claims to be secure, they better be running Windows 8. I don't agree with the UI decisions in Windows 8, but as a long time Linux user, I can finally approve of the direction Microsoft's core Windows code is moving, in terms of security and performance. Windows for ARM was the best opportunity to fix all of Microsoft's problems, but they squandered it with a cut down, feature inhibited version that no one really wants.

I still absolutely believe in the inherent and implemented superiority of all Unix based OSes over Windows, but I was impressed with all of the advancements they made. I followed the "Building Windows 8" blog the whole way through, and from a technical standpoint, it's an impressive step forward. I still don't approve of Microsoft or their methods though.

Security was shifted to the forefront as far back as XP SP2. Vista and it's overbearing UAC prompts was the first major security sandboxing effort to reduce user access footprints on the OS. I don't know what about WIndows 8 you think is more secure than say Windows 7, but to call the security effort in Windows 7 an afterthought and a joke leaves you with little credibility.

Nice 6 year old article. But the fact remains is; UAC at it highest security levels adds tangible benefits to the security of one's system. Without it at its highest level, you don't get the virtual registry benefits.

When did Vista come out again?

Irrelevant.

Quote:

"Without it at its highest level, you don't get the virtual registry benefits"

And as I've said several times already, Windows 7 and 8 have brought enhancements and refinements to Windows' security model and that includes UAC.

Vista was the jumping off point. And UAC is still a security feature. Unless you like running every application on your system as Admin.

How is it irrelevant? his article comes from the time period you describe as the jumping off point. It says that that was no jumping off point. And how on earth is the most widely disabled feature of Windows by users to be considered a security feature? If no one uses it, it does nothing. Windows 7 brought refinement, but Windows 8 actually advanced it to a reasonable point... you appear to just be biased against Windows 8 though. Maybe my standard for what constitutes security is just higher than yours. Vista's features don't meet that standard, and the code quality of Vista (with memory leaks galore) made exploits a dime a dozen, regardless of any features and my opinion of them.

You can't fix stupid. I don't see what idiot users who shut off UAC has to do with how effective UAC at its highest security level is. That has nothing to do with the OS itself.

Biased against Windows 8? I use Windows 8. That doesn't change the fact you're wrong about when Microsoft began taking security seriously. There isn't that great of a difference between Windows 8 and Vista as far as security goes except some higher entropy for ASLR, UAC improvements and some additional integrity levels. Not to mention the differences between 7 and 8's security models are even fewer.

Windows 8 still remains the most secure OS that Microsoft has ever created. But it is in no way heads and shoulders above 7 and Vista like you seem to think it is.

Because the boundaries defined by UAC and Protected Mode IE are designed to be porous, they can't really be considered security barriers, he said. "Neither UAC elevations nor Protected Mode IE define new Windows security boundaries," Russinovich wrote. "Because elevations and ILs don’t define a security boundary, potential avenues of attack, regardless of ease or scope, are not security bugs."

He said Microsoft had communicated this in the past, but that the point needed reiterating.

And if you read the rest...

Quote:

"If you aren't guaranteed that your elevated processes aren't susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption," he wrote.

Microsoft's drive is to get users off of administrative accounts and onto those with limited privileges, even if the new arrangement isn't water-tight from a security point of view, Russinovich said.

"The elevation and Protected Mode IE sandboxes might have potential avenues of attack, but they’re better than no sandbox at all," he wrote.

And if you switch the UAC to always notify then it is much more secure (though obviously most users wont do this).

It's sort of like a cop saying "Why wear a bullet proof vest when I can just be shot in the face or leg?"

If Oracle at some point made a default option to automatically install updates, they wouldn't be in this mess now. It's 2013 and you still have to rely on user's clicking the update notification and installing, most won't go to this effort.

If Oracle at some point made a default option to automatically install updates, they wouldn't be in this mess now. It's 2013 and you still have to rely on user's clicking the update notification **DECLINE SPAMWARE INSTALLS EVERY SINGLE TIME**, and installing, most won't go to this effort.

FTFY

Dear Oracle:I didn't want Ask Jeeves/Bing/Yahoo Toolbar/Spamware-of-the-week the last six times I had to install critical security updates on your broken browser plugin, and I don't want it now.

[You can't fix stupid. I don't see what idiot users who shut off UAC has to do with effective UAC at its highest security levels are. That has nothing to do with the OS itself.

It's also got nothing to do with UAC. If you wanted to ship a Windows Vista application you could ship with elevation at startup and annoy the crap out of standard users or you could ship with elevation only where necessary and annoy them less.

It wasn't until Vista you could realistically run an autonomous user under windows as a standard user. That's huge for security.

It took Microsoft about 6 years to go from being the worst to arguably one of the best in security.

I suspect we are very early on the path to getting Java browser secure.

The bigger question is will anyone care about Java six years from now?

(Or even two or three, since the magnitude of the projects aren't really equivalent.)

Java is doing reasonably well in its areas of strength; but as a tool for building browser plugins it certainly isn't getting any healthier. I'd be pretty shocked to see JVM support drop(only a zillion 'enterprise' server applications live on it); but java plugin no longer being a default part of the JVM install certainly would be nice.

Unfortunately, just enough, mostly legacy, sites use it that I can't just tell the users to go cry. (In particular, in educational contexts, Java seems to have been the tool of choice for scientists and science-education types who wanted to build simulators and demos in their pages, I assume that this is because people with a science, especially math/physics, background are more likely to have picked up some java, rather than the Flash that usually showed up elsewhere.)

Kinda wondering, considering Java plugin already runs sandboxed, what major architectural changes Oracle need to do that's going to take a year.

Sandboxing isn't the magic bullet we once hoped it would be. Many of Java's problems stem from exploits that escape the sandbox. This isn't unique to Java-- plenty of applications have been shown to have methods to break out of their sandbox-- but Java's has been shown to have a very leaky sandbox.

UAC is not a security boundary, but it is a security feature. Just as antivirus products are not a security boundary, but are security features. The term "security boundary" has a very specific meaning, crossing it implies escalation of privileges. Defense in depth security features don't necessarily create boundaries, but that doesn't make them useless.

As to Java, too little too late. Does anybody honestly expect a new uptake in applet development any time soon?

...Back OT: So Oracle's approach is to let the Java 7 plugin fester while they finally have a security think for the next version?

Welcome to 2002 Oracle.

This. I understand that development time is necessary for a total re-look at your security model. I get it. But if ever a situation demanded splitting your team into long-term and short-term "tiger teams", this is it. You don't just abandon an already-compromised product for a year while you pull everyone back for a re-think. You're leaving all your customer's rears out there in the wind in the meantime, or encouraging them to find ways to work without your product. Dumb. Really, really dumb.

I keep getting the impression of Oracle as one of those soulless corporate-zombie wastelands, where the managers are more concerned about the cover sheet of the TPS reports than what goes on with their customer. Maybe I'm wrong about that, but I can't see many other ways that this security circus could have been spawned there.

I have all Java browser plugins pulled from my company's workstations. We need the root engine to run Adobe Creative Suite, but that's another matter. I have freelancers in, now and again, working on projects. We can't watch them like a hawk every second, and I can't afford the chance that one will turn on the plugin and open up a security hole. A print vendor just this week tried to strong-arm me with our mutual client to use his java-powered file uploader, saying that "you could just turn Java on for us, and then turn it off again." And I told him, "No, we already have an upload solution that doesn't require opening a known security hole into our systems. The fact that you rely on a compromised technology is your problem, not mine."

At this point, I've already moved on. I don't need Java in the browser to get our work done. While I applaud the fact that Oracle finally realizes that security is something to be taken seriously, I think it's probably a little too late to save the reputation of the product.

So much talk focuses solely on the client-side of Java. The server side of Java is where the majority of Java work is done.

Beefing up security is super-important for large enterprise Java applications. Businesses using Java for their enterprise applications would suffer severely if they had to rewrite all of their applications in a different language.

That's a risk for using any technology, but it's got to be frustrating being a decision maker for the technology logistics of a large business using Java.

I don't see how this delay is related to security. I've been using jdk8 dev builds and reading the public lambda-dev mailing list of the actual Oracle jdk developers: the issue is that the new functional collections and streams libraries are still not finished and they want to have a solid six+ month window for testing and bug fixing. The core lambda language changes themselves have been pretty feature complete and haven't had much change for many months.

FWIW, Java already has anonymous functions in the form of anonymous inner classes; it's just a bulky, ugly syntax. Java 8 brings nicer lambda syntax, cleaner lambda byte code, better performance for lambda usage, obviously a major functional collections overhaul, and a ton of other features that aren't lambda related.